Threat Operations Manager

Job reference: 000422

Location: Telford

Closing date: 05/07/2022

Salary: £50,000

Employment type: Permanent

Hours per week: 37

The Team

Many of HMRC’s IT services are delivered by Revenue & Customs Digital Technology Services (RCDTS), which was set up in 2016 as a subsidiary of HMRC’s Chief Digital & Information Officer (CDIO) Group. This RCDTS role sits within HMRC’s award-winning Cyber Security Team (CST) who manage and reduce cyber risk by offering world class capabilities to protect, detect and respond to cyber threats including opportunistic cyber threats or targeted intrusions, by undertaking extensive real time monitoring to benefit HMRC, our customers and Other Government Departments (OGD).​​​​​​​


Revenue & Customs Digital Technology Services (RCDTS) are working alongside HM Revenue & Customs (HMRC) and embarking on an ambitious and challenging digital transformation programme which will result in HMRC becoming one of the most digitally advanced tax authorities in the world.

RCDTS was set up in 2015 as a subsidiary of HMRC’s Chief Digital & Information Officer Group and has one of the largest customer bases in the world.

Our role sits within Chief Digital & Information Group (CDIO), we’re increasingly delivering in-

house through our growing network of digital delivery centres – hi-tech, state-of-the-art facilities across the UK.

We’re removing our dependence on data centres, as we increasingly virtualise our estate. We’re fundamentally restructuring the way we look after our IT and the way we work with partners across our ecosystem. But it’s not just about the tech. We’re building a deep understanding of our customers, working in agile ways, and implementing a DevOps approach.

We focus on our people, with clearly defined career pathways that are rewarding, fulfilling and achievable. We have flexible ways of working to help everyone manage their own work/life balance. And we’re creating an authentically diverse and inclusive workplace where everyone feels able to bring their whole self to work.

Role & Responsibilities

We are looking for a passionate and creative person to join our award winning Cyber Security Team and take forward our Threat Operations capability. This post will work alongside incident responders and threat intelligence analysts to hone and improve the organisation’s proactive detection capability.

Working as part of an award winning Cyber Security Team the post holder will:

  • Proactively examine HMRC network and endpoints to detect threats within our infrastructure.
  • Perform attack modelling and testing of HMRC’s Cyber Security controls to improve HMRCs security posture.
  • Perform analysis and forensics on network artefacts and malware samples to document attack capabilities, understand propagation characteristics and define signatures for detecting its presence.
  • Analyse audit and logging data, applying statistical analysis to detect anomalies across large data sets

Person Specification

The ideal candidate will have passion and aptitude for technical Cyber Security work with the motivation to develop and maintain subject matter expertise

The role will be tailored to the skills and experience of the successful candidate.  As such we do not expect candidates to have extensive knowledge in all of the below areas however we would expect in depth knowledge and skills in at least two of the criteria with the proficiency in the rest.

  • Experience of using a variety of analytical tools and methods to identify security compromises within large and complex data sets.

  • Understanding of the systems and high level architecture which underpin corporate IT systems and the techniques deployed to compromise these assets.

  • Experience developing specific detections based on Tactics, Techniques and Procedures (TTPs) obtained from threat intelligence

  • Demonstrable understanding of digital forensics, skills, techniques and tools to perform forensics and root cause analysis on enterprise IT systems

  • Utilise host and network based forensics capabilities to develop information regarding Indicators of Compromise and Tactics, Techniques and Procedures for threat actors and malware

  • Effective reporting, presentation skills with the ability to communicate technical issues to non-technical audience and explain the impact of technical vulnerabilities or threats in business focused language

In addition to the criteria above those candidates invited for interview will also be asked to demonstrate the following Civil Service Competencies.

  • Communicating and Influencing
  • Working Together

Essential criteria:

The post requires Security Check (SC) vetting ( If not already held we will sponsor, although this may take around three months before you can start.

Desirable criteria:

  • Industry recognised Information Security qualifications, relevant Bachelor’s Degree or equivalent experience.  SANS Course Attendance/Certifications of interest include GCIH (504), GCFE (FOR500), GCFA (FOR508), GNFA (FOR572)

Selection Process

A 1,000 word CV detailing work experience and qualifications.​​​​​​​

If you are successful at the sift stage, you will be invited to interview to demonstrate your suitability.

Additional Information

All applicants will need to provide proof that they have the right to work in the UK. Information on Right to Work legislation can be found at Right to Work in UK

We are an equal opportunity employer and value diversity at our company. As such we encourage anybody who needs a reasonable adjustment during the recruitment process to contact the recruiter or hiring manager dealing with your application who will discuss the reasonable adjustments required with you.

We are committed to offering flexible working within our organisation. We will consider all requests to work part-time, flexibly or on a job-share basis. Please speak to the recruitment team or the hiring manager if you would like to discuss flexible working arrangements.

RCDTS is an office-based organisation committed to achieving the optimum work/life balance arrangements for staff. Where business requirements permit, we are fully supportive of a blend of home and office working.

A copy of the RCDTS Book of Benefits is attached to this job advert.

If you are applying for a role in an office within a regional centre location or a transitional or specialist site, then the following may apply: Daily Travel Assistance will be available for this role, provided the successful applicant is a current RCDTS employee and meets the eligibility requirements outlined in the department’s Daily Travel Assistance guidance.

HMRC’s Technology Sourcing Programme (for external adverts only)

HMRC faces a number of contract expiries combined with the need to re-balance control over its digital and technology capability to ensure HMRC can respond quickly and effectively to changing requirements and priorities.

This is a multi-year programme to transform how HMRC delivers and uses IT. The programme is in place to design and deliver the safe disaggregation, exit and transition of HMRC’s major IT contracts and stand-up new arrangements to deliver both IT run and change activity.

The programme will develop and implement a new technology supply chain model, protect live services, enable the department to remediate and prevent technical debt, reduce risk in our IT estate, improve cost effectiveness, provide flexibility and establish partnerships with suppliers to deliver innovation.

What does this mean for RCDTS? - The programme is due to impact the services that RCDTS currently provides to HMRC. As a result, it is expected that some services currently provided by RCDTS will be delivered within HMRC in the future, and some services will instead be delivered by third party supplier partners. We expect this will mean that, in due course, some RCDTS colleagues will transfer to third party suppliers and other RCDTS colleagues will transfer to HMRC, under the ‘TUPE’ Regulations. RCDTS as a company is due to be closed down once these processes are concluded. There will be prior consultation with RCDTS employees, including via RCDTS’ Employee Forum, on the potential transfers due to result from TSP. More information will therefore be provided to staff before any changes take effect.


The closing date for this job has now passed.